Zlib bug and analog

A security bug was announced yesterday in version 1.1.3 of the zlib compression library. Although analog uses zlib code, analog is believed not to be vulnerable to this bug.

The bug is caused by an error which attempts to free the same piece of allocated memory twice when uncompressing corrupt data.

On all platforms except the Mac, analog only contains code from zlib to compress data, not to uncompress it.

The Mac version does contain zlib code for uncomprssing data, but there is a wrapper round the zlib memory allocation functions which would automatically intercept requests for a double-free. (In addition, an attacker would have to introduce a corrupt compressed logfile onto the system in order to exploit this. If that can happen, you've got much bigger problems!)

Analog can request an external program to uncompress data using the UNCOMPRESS command; of course, that program should be checked to make sure it is not vulnerable.

Go to the analog home page.
Need help with analog? Use the analog-help mailing list.

Stephen Turner

Page last modified: 12-Mar-01